# HG changeset patch
# User michael
# Date 1253715557 0
# Node ID b9f5f8b8f0731302e1747693d85d9f3dbd73c90e
# Parent  64dd9515b93b63cfc0194ca0e3cec14b0b347401
Check submap indexes.
10_vorbis_submap_indexes.patch by chrome.
I am applying this even though Reimar had some comments to improve it as it fixes
a serious security issue and I do not want to leave such things unfixed.

diff -r 64dd9515b93b -r b9f5f8b8f073 vorbis_dec.c
--- a/vorbis_dec.c	Wed Sep 23 13:52:56 2009 +0000
+++ b/vorbis_dec.c	Wed Sep 23 14:19:17 2009 +0000
@@ -752,9 +752,20 @@
         }
 
         for(j=0;j<mapping_setup->submaps;++j) {
+            int bits;
             skip_bits(gb, 8); // FIXME check?
-            mapping_setup->submap_floor[j]=get_bits(gb, 8);
-            mapping_setup->submap_residue[j]=get_bits(gb, 8);
+            bits=get_bits(gb, 8);
+            if (bits>=vc->floor_count) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "submap floor value %d out of range. \n", bits);
+                return -1;
+            }
+            mapping_setup->submap_floor[j]=bits;
+            bits=get_bits(gb, 8);
+            if (bits>=vc->residue_count) {
+                av_log(vc->avccontext, AV_LOG_ERROR, "submap residue value %d out of range. \n", bits);
+                return -1;
+            }
+            mapping_setup->submap_residue[j]=bits;
 
             AV_DEBUG("   %d mapping %d submap : floor %d, residue %d \n", i, j, mapping_setup->submap_floor[j], mapping_setup->submap_residue[j]);
         }